The CI ecosystem is large and complex, especially at a company like Discover. What follows is one employee’s personal insight into how to manage risk at a company where the stakes are high.
Some Background on Discover’s Code and Platform
The CI platform at Discover today is as follows:
- They use GitHub, having many repositories in a variety of languages.
- They use all products from Sonatype.
There are a lot of challenges when it comes to consuming open-source software today, especially when it comes to security. The manual vetting approach is error-prone and time consuming, and it cannot scale to meet the ever-growing demands.
It’s also worth noting that once it’s inside the enterprise, OSS is rarely reviewed again for vulnerabilities. Since security risk is proportional to the age of the OSS component, this is a problem.
Within much of Discover, open-source is heavily used. This squares with the general rule: that 80% to 90% of a modern app consists of assembled components.
This modern software requires a modern approach. The feedback has to be quick and precise. The context is also very important because licenses can vary depending on the type of application. Also important is the environments on which it’s supposed to be run. And besides all this, the tool you use to get such feedback also has to be continuous.
Is OSS Risky?
Let’s talk about the flatmap-stream incident.
A malicious developer became a maintainer at Event Stream and poisoned one of the updates after introducing a dependency. An infected npm package was downloaded as a dependency to a popular npm package. The attack was aimed at a bitcoin wallet.
Here’s the lesson from the flatmap-steam incident: attackers will continue to turn vulnerabilities into malicious code or inject malicious code into our software.
The Solution: Nexus
Nexus (Read more...)
OSS for Enterprise: Procure Secure Components Faster & Manage Risk Better
